web/outdated

so this website takes a python code file from the user and executes it in the server using the command subprocess

so to execute a python file we have to click on the upload button

before submitting any file intercept the submit request using burp and then send the request to repeater

i have created a simple python file that prints a string

in the response it shows us the code and the resonse of the code executed

so what we have to do now is try to locate the flag in the server and print it

after trying to list the files in the current directory it somehow blocks us

looking at the source code we find out that it's blocking a bunch of very important keywords that normally used to execute system commands

so we have to escape them and try to find another way

List all classes which are running in this python system by using this command print("".__class__.__mro__[1].__subclasses__())

the response is not clear so right click on the response and then click on show response in browser and copy the link and paste it in the browser

so let's copy all the array and paste it in an editor so we can view them properly

Find the index of <class 'os._wrap_close'> in this case the index of <class 'os._wrap_close'> is 132

Call the system module in __globals__ to list files and directories by using this command "".__class__.__mro__[1].__subclasses__()[132].__init__.__globals__['s' + 'ys' + 'tem']('ls -la')

and we can see the flag so now let's use the command cat to read its content

Show the flag string from flag.txt by using this command "".class.mro[1].subclasses()[132].init.globals['s' + 'ys' + 'tem']('cat flag-8f42541e-b457-42a3-8aae-a43d2d9782da.txt')

tjctf{oops_bad_filter_3b582f74}

Last updated 1 year ago

Was this helpful?